Scheduler-Specific Confidentiality for Multi-threaded Programs and Its Logic-Based Verification
Observational determinism has been proposed in the literature as a way to ensure confidentiality for multi-threaded programs. Intuitively, a program is observationally deterministic if the behavior of the public variables is deterministic, i.e., independent of the private variables and the scheduling policy. Several formal definitions of observational determinism exist, but all of them have shortcomings; for example they accept insecure programs or they reject too many innocuous programs. Besides, the role of schedulers was ignored in all the proposed definitions. A program that is secure under one kind of scheduler might not be secure when executed with a different scheduler. The existing definitions do not always ensure that an accepted program behaves securely under the scheduler that is used to execute the program.
Therefore, this paper proposes a new formalization of scheduler-specific observational determinism. It accepts programs that are secure when executed under a specific scheduler. Moreover, it is less restrictive on harmless programs under a particular scheduling policy. We discuss the properties of our definition and argue why it better approximates the intuitive understanding of observational determinism. In addition, we also discuss how compliance with our definition can be verified, using model-checking.
Unable to display preview. Download preview PDF.
- 1.Barthe, G., D’Argenio, P., Rezk, T.: Secure information flow by self-composition. In: Foccardi, R. (ed.) Computer Security Foundations Workshop, pp. 100–114. IEEE Press (2004)Google Scholar
- 2.Barthe, G., Prensa Nieto, L.: Formally verifying information flow type systems for concurrent and thread systems. In: Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering, FMSE 2004, pp. 13–22. ACM (2004)Google Scholar
- 5.Huisman, M., Ngo, T.M.: Scheduler-specific confidentiality for multi-threaded programs and its logic-based verification. Technical Report TR-CTIT-11-22, CTIT, University of Twente, Netherlands (2011)Google Scholar
- 6.Huisman, M., Worah, P., Sunesen, K.: A temporal logic characterization of observation determinism. In: Computer Security Foundations Workshop. IEEE Computer Society (2006)Google Scholar
- 7.Huth, M., Ryan, M.: Logic in computer science: modeling and reasoning about the system, 2nd edn. Cambridge University Press (2004)Google Scholar
- 10.Roscoe, A.W.: Csp and determinism in security modeling. In: IEEE Symposium on Security and Privacy, p. 114. IEEE Computer Society (1995)Google Scholar
- 11.Russo, A., Sabelfeld, A.: Security interaction between threads and the scheduler. In: Computer Security Foundations Symposium, pp. 177–189 (2006)Google Scholar
- 13.Terauchi, T.: A type system for observational determinism. In: Computer Science Foundations (2008)Google Scholar
- 14.Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: Computer Security Foundations Workshop, pp. 29–43. IEEE Press (June 2003)Google Scholar